Re: Cisco 7600 (7609) as a core BGP router.
Roland, The only issue I have I with your reply is that is somehow still acceptable to not have these features in a core device. -jim ------Original Message------ From: Roland Dobbins To: NANOG list Subject: Re: Cisco 7600 (7609) as a core BGP router. Sent: Jul 18, 2009 1:09 AM On Jul 18, 2009, at 4:30 AM, Steven King wrote:
We use the 7600 platform as a Customer Border device.
The 7600 is actually quite a poor choice as an edge device (any edge) due to its caveats regarding NetFlow, ACLs, and uRPF. It's far better suited to a core role, where it can handle mpps running without the need for these critical edge features. ----------------------------------------------------------------------- Roland Dobbins <rdobbins@arbor.net> // <http://www.arbornetworks.com> Unfortunately, inefficiency scales really well. -- Kevin Lawton Sent from my BlackBerry device on the Rogers Wireless Network
On (2009-07-18 05:12 +0000), deleskie@gmail.com wrote: Hey,
The only issue I have I with your reply is that is somehow still acceptable to not have these features in a core device.
I'm guessing point Roland was making (which he likely would have not made couple moons ago:) was related to the lack of IPv6 uRPF, chassis wide uRPF mode and IPv6 ACL either have /128 look-up and no L4 lookup or L4 lookup and accordingly reduced lookup, forcing longer prefixes to software (compression removes bits 24-39 from hardware). In practice this means, if you enable compressed mode, to allow L4 lookups in ACL, and you likely will (how else are you going to protect server, if you can't allow MGMT/ssh and internet/http and drop rest?) you will need to take care that you never do 'host 2001:db8::1' but stay within the boundaries. Typically this is non-issue, as you have rather large subnets, and typically inside this subnet there is same security policy, that is, all hosts can use same ACL. It is easy to verify if particular ACE from ACL line is in hardware or is punted, so it will be easy to fix it, before going live. This is still definitely something you need to consider. I'd agree that no IPv6/uRPF is rather show-stopper for longer term edge use, but I don't think the IPv6/ACL is deal-breaker. In core I personally have no use for uRPF or ACL, as I'm not facing customers in core. EARL8 (Nexus7k) fixes the IPv6/uRPF and IPv6/ACL issue. Someone mentioned the ACL TCAM, planning its usage is also important you can use 'shot tcam counts' to see the resource usage. Pay particular attention to 'LOU' usage (which is used for gt/lt/neq/range operators, and is hence somewhat expensive). But knowing the limitation and how ACL lines are compiled to ACEs makes it typically easy to scale as far you need to.
-jim ------Original Message------ From: Roland Dobbins To: NANOG list Subject: Re: Cisco 7600 (7609) as a core BGP router. Sent: Jul 18, 2009 1:09 AM
On Jul 18, 2009, at 4:30 AM, Steven King wrote:
We use the 7600 platform as a Customer Border device.
The 7600 is actually quite a poor choice as an edge device (any edge) due to its caveats regarding NetFlow, ACLs, and uRPF. It's far better suited to a core role, where it can handle mpps running without the need for these critical edge features.
----------------------------------------------------------------------- Roland Dobbins <rdobbins@arbor.net> // <http://www.arbornetworks.com>
Unfortunately, inefficiency scales really well.
-- Kevin Lawton
Sent from my BlackBerry device on the Rogers Wireless Network
-- ++ytti
On Jul 18, 2009, at 2:37 PM, Saku Ytti wrote:
I'm guessing point Roland was making (which he likely would have not made couple moons ago:)
I've made this point for years, quite publicly, actually - even when it was unpopular for me to do so in certain quarters. ;> uRPF for 7600/6500 can only be in one mode for the whole box, all interfaces. This is a major problem in many cases. The NetFlow issues render flow telemetry unusable in production situations. The ACLs work very differently on this platform due to LOU issues, as you say. Most folks don't know this, and many end up overflowing their TCAMs and not realizing it until their boxes fall over, heh. If one has fairly complex ACLs covering various ranges of ports, ACLs on 7600/6500 quickly become very difficult to manage.
EARL8 (Nexus7k) fixes the IPv6/uRPF and IPv6/ACL issue.
And the NetFlow issues. ----------------------------------------------------------------------- Roland Dobbins <rdobbins@arbor.net> // <http://www.arbornetworks.com> Unfortunately, inefficiency scales really well. -- Kevin Lawton
Can someone provide a link, or more detail, on the netflow issues. Particularly as they relate to 6509's and sup720's. Thanks! On 7/18/09, Roland Dobbins <rdobbins@arbor.net> wrote:
On Jul 18, 2009, at 2:37 PM, Saku Ytti wrote:
I'm guessing point Roland was making (which he likely would have not made couple moons ago:)
I've made this point for years, quite publicly, actually - even when it was unpopular for me to do so in certain quarters.
;>
uRPF for 7600/6500 can only be in one mode for the whole box, all interfaces. This is a major problem in many cases.
The NetFlow issues render flow telemetry unusable in production situations.
The ACLs work very differently on this platform due to LOU issues, as you say. Most folks don't know this, and many end up overflowing their TCAMs and not realizing it until their boxes fall over, heh. If one has fairly complex ACLs covering various ranges of ports, ACLs on 7600/6500 quickly become very difficult to manage.
EARL8 (Nexus7k) fixes the IPv6/uRPF and IPv6/ACL issue.
And the NetFlow issues.
----------------------------------------------------------------------- Roland Dobbins <rdobbins@arbor.net> // <http://www.arbornetworks.com>
Unfortunately, inefficiency scales really well.
-- Kevin Lawton
-- Sent from my mobile device -- Darren Bolding -- -- darren@bolding.org --
On Jul 18, 2009, at 5:05 PM, Darren Bolding wrote:
Can someone provide a link, or more detail, on the netflow issues. Particularly as they relate to 6509's and sup720's.
mls table can hold 256K entries at 93% efficiency, so you end up with about 239K flows total. No packet-sampled control of flow creation, so the table is likely to be overflowed in production edge situations, leading to non-deterministically skewed stats. No logical OR of TCP flags throughout a TCP flow - can't classify SYN- floods, RST-floods, et. al. No stats on dropped traffic. ----------------------------------------------------------------------- Roland Dobbins <rdobbins@arbor.net> // <http://www.arbornetworks.com> Unfortunately, inefficiency scales really well. -- Kevin Lawton
On Jul 18, 2009, at 5:05 PM, Darren Bolding wrote:
Can someone provide a link, or more detail, on the netflow issues. Particularly as they relate to 6509's and sup720's.
Note that these issues are all fixed on the Nexus 7000, with the EARL8 ASIC. ----------------------------------------------------------------------- Roland Dobbins <rdobbins@arbor.net> // <http://www.arbornetworks.com> Unfortunately, inefficiency scales really well. -- Kevin Lawton
On Sat, Jul 18, 2009 at 03:05:32AM -0700, Darren Bolding wrote:
Can someone provide a link, or more detail, on the netflow issues. Particularly as they relate to 6509's and sup720's.
The long and short of it is the current hardware (EARL7) is incapable of doing sampling (i.e. looking at 1 out of every Nth packets). It gathers all of the flow data into tcam and THEN does sampling in software, but by that point its already too late because the tcam is exhausted. Turning on sampling actually makes it worse, because it forces a flowmask which fills the tcam even faster. In my experience, even with extremely aggressive aging and a dest only flowmask (discarding all src and L4 port information to make it fit better), it tops out at around 2Gbps of "generic wholesale IP" traffic you can sample. Obviously when it runs out of steam is dependent on the number of flows in your network, you could be much better or much worse depending on your traffic, but the point is it usually doesn't work for most people. Adding DFC daughterboards makes this capacity scale linearly, i.e. you go from 2Gbps system-wide capacity to 2Gbps per slot capacity, but this typically doesn't make any difference. The only recent improvement is that in SXH+ and SRB+ software you can now enable netflow on a per-interface basis rather than a global basis (before this, all traffic was sampled globally regardless of what you configured on the interfaces). This can let you exclude interfaces you don't care about (such as core links) use your limited resources only on interfaces you do care about (such as edge links). Until they come out with the EARL8 SUPs (what have they pushed that back to now, 2011? :P) you are basically SOL in the netflow dept. -- Richard A Steenbergen <ras@e-gerbil.net> http://www.e-gerbil.net/ras GPG Key ID: 0xF8B12CBC (7535 7F59 8204 ED1F CC1C 53AF 4C41 5ECA F8B1 2CBC)
On (2009-07-18 15:58 +0700), Roland Dobbins wrote:
uRPF for 7600/6500 can only be in one mode for the whole box, all interfaces. This is a major problem in many cases.
From my point of view, as long you can live with LAN cards in 7600 is has excellent bang for buck, with really no competing products out there. But
I referred to this as 'chassis wide uRPF'. I'm not sure if that is big issue in many networks. You run uRPF/strict to single homed customer and uRPF/loose to transit/peering. Often networks already have dedicated peering boxes. I'm not sure, but I believe technically PXF (ES20, SIP600) and EZchip (ES+) should have no trouble doing uRPF, so I think it's just software development issue, that even with these cards, you're bound to this limitation. the moment you need to terminate multiple customers to single port and provide QoS (which implies H-QoS) the box has several attractive competitors, most of them are even newer generation, such as MX. -- ++ytti
participants (5)
-
Darren Bolding
-
deleskie@gmail.com
-
Richard A Steenbergen
-
Roland Dobbins
-
Saku Ytti